It is possible to construct font files supposed to be loaded by imageloadfont() which trigger OOB reads if the fonts are actually accessed (e.g. by imagechar()). The given test scripts exploits that by triggering the assignment of a zero byte memory allocation to gdFont.data (which is happily accepted by imageloadfont()), and to read beyond this "buffer" when calling imagechar(). So if an application allows to upload arbitrary font files and working with these, it is likely vulnerable. References: https://www.php.net/ChangeLog-8.php#8.0.25 https://bugs.php.net/bug.php?id=81739
Created php tracking bugs for this issue: Affects: fedora-all [bug 2139281]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:0848 https://access.redhat.com/errata/RHSA-2023:0848
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0965 https://access.redhat.com/errata/RHSA-2023:0965
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2417 https://access.redhat.com/errata/RHSA-2023:2417
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:2903 https://access.redhat.com/errata/RHSA-2023:2903
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-31630